Endpoint Vulnerability

Microsoft Office XSS Elevation of Privilege Vulnerability

Description

An elevation of privilege vulnerability exists when an Office Web Apps server does not properly sanitize a specially crafted request. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Office Web Apps server. The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions, delete content, steal sensitive information (such as browser cookies), and inject malicious content in the browser of the victim.

Affected Products

Excel Services on Microsoft SharePoint Server 2013 Service Pack 1,Excel Services on Microsoft Sharepoint Server 2010 Service Pack 2 Bad,Microsoft Excel Web App 2010 Service Pack 2,Microsoft Office Web Apps 2010 Service Pack 2,Microsoft Office Web Apps Server 2013 Service Pack 1,Office Online Server

References

CVE-2017-0195,